Firewall not passing traffic even though it is allowed…



  • Hi,

    Am seeing some strange behavior from the firewall on my pfSense 2.0

    Traffic is passing from one subnet to another by a IPsec VPN, which is working fine (in the sense that I can ping through the tunnel), but traffic from an Active Directory domain controller in one subnet to its replication partner in the other subnet is not being passed.
    Looking on the firewall logs it shows this:

    Jun 27 08:05:33 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:RA
    Jun 27 08:05:32 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A
    Jun 27 08:05:31 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A
    Jun 27 08:05:30 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A
    Jun 27 08:05:29 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A
    Jun 27 08:05:29 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A
    Jun 27 08:05:28 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A
    Jun 27 08:05:27 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A
    Jun 27 08:05:26 LAN 172.16.3.2:389 172.18.1.4:61217 TCP:A

    No blocks the other way round. I can ping 172.16.3.2 from 172.18.1.4 and vice versa, but cannot initiate any RPC traffic (which is also what the DC is trying when syncing with the File Replication Service).
    No problem connecting using RPC to other servers, just those two that won't

    Found another thread mentioning asynchronous routing, but don't see it applying here. Setup looks like this:

    Subnet A (172.16.0.0/16) –> pfSense --> Internet --> VPN gateway --> Subnet B (172.18.0.0/16)

    Regards,
    Anders



  • Should probably add that I, as a test, have firewall rules for LAN that allows all traffic, and a firewall rule for IPsec that specifes that all traffic between 172.18.0.0/16 and 172.16.0.0/16 are allowed.



  • Another update…

    I can have the problem follow me around from domain controller to domain controller. If I add a replication link to another DC, that DC will be inaccesible. Remove the replication link and it becomes available again.
    Wondering if pfSense is having trouble interpreting the dynamic nature of RPC...?

    Regards,
    Anders



  • This definitely had something to do with the network… Have set the MTU size on the remote DC to 1350, and now it seems to be able to connect and replicate...

    Sitting here wondering made me remember that the VPN gateway in the other end had the TCP MSS setting defined at 1350. So now the big question is, how can I set this setting on that tunnel?
    Have seen the setting on MSS clamping, but it seems to be systemwide and I'm not sure how it will affect the other 30-some tunnels that are running...



  • i have been passing trough a similar issue, there is an MPLS between two router(116.0.0.0-115.0.0.0), one of this router's is on my lan(115.0.0.130) and pfsense is blocking conections from the other side of MPLS even without any blocking rule, on firewall log show the connection passing on flag SYN and blocking flags PA, even adding "easy rule" he's still blocking. When i use the vnc to connect to 116.0.0.x i can connect but it close after 10 sec for example.



  • @kelsen:

    i have been passing trough a similar issue, there is an MPLS between two router(116.0.0.0-115.0.0.0), one of this router's is on my lan(115.0.0.130) and pfsense is blocking conections from the other side of MPLS even without any blocking rule, on firewall log show the connection passing on flag SYN and blocking flags PA, even adding "easy rule" he's still blocking. When i use the vnc to connect to 116.0.0.x i can connect but it close after 10 sec for example.

    You have asymmetric routing and can't statefully filter in that scenario. System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface"



  • @cmb:

    You have asymmetric routing and can't statefully filter in that scenario. System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface"

    Any insights on the MSS clamping?



  • @cmb:

    @kelsen:

    i have been passing trough a similar issue, there is an MPLS between two router(116.0.0.0-115.0.0.0), one of this router's is on my lan(115.0.0.130) and pfsense is blocking conections from the other side of MPLS even without any blocking rule, on firewall log show the connection passing on flag SYN and blocking flags PA, even adding "easy rule" he's still blocking. When i use the vnc to connect to 116.0.0.x i can connect but it close after 10 sec for example.

    You have asymmetric routing and can't statefully filter in that scenario. System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface"

    That was the problem, thanks so much cmb.


Locked